As business goes digital, corporate boards and executives are becoming more acutely aware of cybersecurity concerns.
At this year’s RSA Conference held in San Francisco, a keynote panel discussion illustrated the breadth of these concerns—and also the challenge of addressing this inherently technical subject at the executive level.
Here is a sampling of “The Seven Most Dangerous New Attack Methods” as presented by a panel of experts, along with observations of how Boards and other leaders can translate this information into useful security and risk management decisions:
1. Rampant ransomware
Ransomware has hit the headlines. Hackers use this kind of malware to gain control of or threaten corporate systems, demanding payment in exchange for removing the malware.
Panelist Ed Skoudis, a faculty fellow at the SANS Technical Institute, said ransomware will continue to rise through 2017. While the ransom demanded is not necessarily exorbitant, this form of cyberattack provides criminals a simpler and more immediate payment, versus trying to sneak data out of a corporate network and monetize it.
“We’re seeing ransomware increasingly target network file servers, backups, and big databases,” Skoudis said.
2. Internet of Things (IoT) attacksAs businesses go further into the digital realm and rely on sensors and analytics, the interconnected-everything of IoT provides a rich new source of hacker targets, said Skoudis.
IoT is not only a target but also a launching pad for attacks, as illustrated by the Mirai botnet, which in late 2016 used connected devices including everything from security cameras to baby monitors to disable target sites by flooding them with gigabytes of internet traffic.
The good news, Skoudis said in response to an audience question, is that standard attack frameworks and scanning tools can help find these vulnerabilities before hackers do. Your information security organization is likely to use these tools already.
These first two types of attack will also be combined, Skoudis said, with hackers threatening physical devices and demanding bigger ransoms.
3. Industrial control systems attacksMichael Assante, lead for Industrial Control System (ICS) and Supervisory Control and Data Acquisition (SCADA) security at SANS, said an escalating series of attacks against power companies in the Ukraine showed that hackers have gradually developed the sophistication to cause outages through electronic attacks.
Assante, who was previously CSO of American Electric Power, said these were not generic attacks that accidentally caused service disruptions, but hacks that specifically targeted the ICS systems that control machines—”the devices that move things and make things.”
Companies that rely on these industrial systems should “prepare for ICS disruption at scale,” Assante said.
4. Evolving attacks on technical and architectural weaknesses—as alwaysJohannes Ullrich directs the SANS Internet Storm Center, which tracks threats and attacks by scanning data from more than one million IP addresses. Ullrich said it’s a challenge each year to narrow new attacks down to only a handful for the purposes of the annual RSA panel. This year he rounded out the presentation with three relatively young attack vectors: weak random-number generators (which are commonly used in the process of encrypting data), attacks on vulnerabilities in Web-based software components and languages, and vulnerabilities in the newer “NoSQL” types of databases commonly used for big bata analytics.
What should C-level executives take away?A CEO’s eyes might glaze over in such a conference session. However, as the threats and potential impacts rise, it’s important to lean in instead.
Here are some high-level ways to think about whether a security program is up to these challenges.
- Agility is ever more important As technology changes business at an ever-faster rate, new vulnerabilities come along with it. A modern security program needs budget, and authority to identify, evaluate, and close new holes quickly.However, CEOs and Boards should note that not every vulnerability can be the top priority, Pete Lindstrom, a vice president at research firm IDC, told Connected Futures Magazine.“Many advanced attack techniques may be low-incidence events.”He said the question Boards sometimes ask, ‘Are we secure or not secure?’, is based on a false dichotomy. A truly agile security program needs to be able to prioritize its technical actions based on business considerations.
- Think about scenarios and responses ahead of time, particularly for ransomware Skoudis said some ransomware victims find that reality trumps principle. “You might say ‘We’re never going to pay the bad guys,’ but if the reality is a few bitcoins versus having your business shut down, you may change your stance,” he said.With attacks on industrial IoT looming, panelists said specific scenario planning is in order. “Would you pay to turn your lights back on? Your heat? Your car? Your factory?” Skoudis asked.
- Consider manual capabilities in your planning In the Ukraine, Assante said, hackers knocked out power service in part by tripping circuit breakers. Ironically, the power companies were able to restore service quickly through manual intervention—”rolling the trucks” to send workers to physically reset the breakers.Businesses further down the path of digitization may not have this capability. “Automation creates great efficiency, but it also creates dependency,” Assante said. Every organization should think carefully about “the right balance between man and machine. What [human] capabilities should we retain?” he asked.